SysAdmin Tip - user may alter root-owned files and directories

19 Nov 2009

Here’s a friendly system administration tip, for Linux/FreeBSD/Unix-type systems: root-owned files and directories in a directory owned by a user can still be modified by the user.

The scenario usually presented is that the sys admin doesn’t want a user modifying a certain configuration file in the user’s home directory. Modifying is usually understood as editing. Hence the sys admin will do the following:

As demonstrated in the examples a user still has control over root-owned files and directories in directories the user owns. For files a user may:

Delete the file

Rename the file

For directories the user may:

Rename the directory

Delete the directory, if the directory is empty

A user may take one of the above actions, then create his own file or directory containing the content he desires.

If the system administrator truly wants to prevent the user from manipulating such files and directories then the admin needs take one of the following actions:

Do not put the files and directories in the user’s home directory

Make the file or directory immutable ( not compatible with all systems )

In my opinion option #1 is the better way to go, when possible.

Note: other ways I’ve seen admins attempt to block this is to prevent a user from accessing his home directory. For example disabling SSH, FTP and similar methods of interfacing with the home directory.